New Feature – Upgrade of Detection Rules via the Cloud in NTA V4.5R90F04

New Feature – Upgrade of Detection Rules via the Cloud in NTA V4.5R90F04

março 20, 2023 | NSFOCUS

Function Description

This function will be available in NTA V4.5R90F04 in Q2 2023. NTA allows online upgrades of the DDoS detection rule library for automatic protection. This function can meet most of the current customization requirements by providing the latest detection rules against new types of DDoS attacks.

Configuration Procedure

Obtain the upgrade package of the DDoS detection rule library from update.nsfocusglobal.com and import it to NTA in the Local Upgrade area under Administration > Upgrade > Detection Rule Upgrade.

For automatic synchronization of the rule library, choose Administration > Upgrade > Detection Rule Upgrade and configure parameters in the Auto Sync area.

Currently, three options are available for the upgrade time, as shown in the following figures.

The new detection rule library can only be used for the protection of IP groups and does not work for global DDoS protection or region protection. For the use of DDoS detection rules in the detection rule library, import the rule library package by using either of the preceding methods and then apply it to a specific IP group (choose Configuration > Objects > Regions, expand a region to show all IP groups under it, click  in the Operation column of an IP group, proceed to IP Group DDoS Attack Alert, and configure the application mode on the Detection Rule Library Configuration tab page).

Currently, the DDoS detection rule library can be applied automatically and manually. Manual: On the Detection Rule Library Configuration tab page, select Manual for Application Mode, click Add Rule, select a rule category, specify a rule name, and click OK. Rules, after being manually added, do not work automatically by default. You need to set the detection mode and thresholds for these rules on the Fix Threshold Configuration tab page.

Automatic: On the Detection Rule Library Configuration tab page, select Automatic for Application Mode, set the detection mode and thresholds, and click Save. Note that if you switch the application mode to automatic, the parameter settings will be applicable to all detection rules in the current rule library. If the application mode is already automatic and you only modify parameters, the changes you made will be applicable only to rules added to the rule library after the modification. If the thresholds of a specific rule need to be changed, you can do so on the Fix Threshold Configuration tab page.

The new DDoS detection rule library supports self-learning. For manually applied rules, the method of enabling self-learning remains unchanged. For automatically applied rules, the option of automatic self-learning is added. After you select this option, you need to further configure other parameters, including the thresholds.

After new DDoS detection rules are applied to a specific IP group, traffic meeting the set conditions triggers alerts. The method of viewing these alerts is the same as that for DDoS attack alerts. The only difference is that alerts triggered this way will not be sent to third-party devices or described in any reports.

The method of querying self-learning results of such rules remains unchanged.